Geopolitical and Cybersecurity Risk Weekly Brief 11 May 2020

11 may 2020

COVID-19 Cybersecurity Update

Internet and cloud providers have been challenged to reliably handle increased traffic and bandwidth strain due to the sudden shift to remote working. Between March and April, there was a 17 per cent increase in the number of DDoS attacks from the previous peak (in 2019), with over 864,000 DDoS attacks observed worldwide. Link 11 analysis also showed that the maximum bandwidth of DDoS attacks had doubled in Q1 2020 compared to the same quarter last year.

This week, the UK National Cyber Security Center and the US Cybersecurity and Infrastructure Security Agency released a joint advisory concerning the targeting of coronavirus response organisations by state-sponsored threat groups. Healthcare bodies, medical research organisations, pharmaceutical companies, academia, and local governments have been attacked. The Guardian also reported that hostile states, such as China, Russia, and Iran, have been targeting British universities and scientific facilities to steal research related to COVID-19, including vaccine development. None of the attacks are believed to have been successful.

Scams continue to leverage the coronavirus to trick unsuspecting email recipients or website browsers into opening attachments or clicking links. File and app names used include ‘FlashPlayerUpdate.apk’ (targeting Australia), an app called "Koronavirus haqida" (targeting Uzbek victims), Covid-19_Safety_Guildlines.jar", "COVID-19 Test Kit- URGENTLY NEEDED", "COVID19 Test kit.exe", and "COVID 19 Security Document.pdf".

The coronavirus tracking map, developed by academics at Johns Hopkins University, is also still being leveraged in scams. Fake sites which copy the map are used to send adverts to those who view the site. These adverts often send users to pages that claim to sell PPE and other medical equipment but steal either money or personal data.

HMRC has taken down 292 scam web addresses exploiting the coronavirus outbreak since 23 March. Of these, 237 were proactively identified by HMRC; the other 55 were flagged by members of the public.

Threat actors are taking advantage of the uncertain employment environment to recruit individuals into money mule scams. These scams pose as work from home opportunities. If the victim accepts the job offer, they are tasked with minor actions to establish trust and credibility and then told to move funds that have been stolen. One such campaign targeted a global financial institution with an offer of part-time work.

Nigerian threat actors, known as SilverTerrier, launched ten COVID-19-themed Business Email Compromise (BEC) and malware distribution campaigns between 30 January and 30 April. These involved sending over 170 phishing emails to a broad range of targets, including government healthcare agencies, local government departments, universities, utility providers, medical publishing firms and insurance providers in the US, Canada, Australia, Italy and the UK.

Security researcher, Lukas Stefanko, has uncovered a new Android banking Trojan dubbed Android bot Nautilus-BOT v1.0. The malware is currently targeting French users in an ongoing spam campaign. The malware hides as a fake COVID-19 alert which lures users into downloading a malicious APK, infecting themselves with the banking Trojan that then steals their credentials. 


Attacks and cybersecurity news

A new campaign from North Korean group Lazarus is targeting the UK defence industry. The researchers found a malicious document referencing a job description for a senior design engineer at BAE Systems, a British defence, security, and aerospace company. US aviation giant, Boeing, was targeted hours before. Researchers also observed Kimsuky – another North Korean group that is also linked to Lazarus – targeting a South Korean defence company that produces engines used in tanks and destroyers. BAE Systems has been called in for digital forensics and incident response on several occasions in the wake of Lazarus attacks, such as the Far Eastern International Bank (FEIB) in Taiwan and the Bangladesh Bank, after both were breached by the group. This suggests Lazarus is specifically targeting BAE.

The global financial sector is being targeted with the EVILNUM malware. Those targeted include the CEO of a bank in a British territory, an investment company in England, and a financial executive in Canada. Since February 2019, threat actors have impersonated CEOs and other banks in decoy documents attached to phishing emails. Google Cloud services such as Gmail and Google Drive are used to host malicious payloads and server URLs for downloading the malware, meaning that several antivirus systems do not detect the threat as malicious.

Toll Group took some of its IT systems offline after detecting "unusual activity" on a number of its servers. Customer-facing systems such as MyToll, as well as contact centres, were temporarily taken down. Toll later confirmed that it had been infected with the Nefilim ransomware. The company was the victim of a targeted ransomware attack in early 2020 but has claimed that this incident is unrelated to the previous attack.

More than 900,000 WordPress sites were targeted in attacks attempting to redirect visitors to malvertising sites or plant a backdoor if an administrator is logged in. This is believed to be the work of a single threat actor who used at least 24,000 IP‌ addresses over the course of a month to send malicious requests to the sites. Vulnerable plugins used in the attack include Easy2Map (patched August 2019), Blog Designer (patched in 2019), GDPR Compliance (patched in 2018), Total Donations (patching in 2019), and the Newspaper theme (patched in 2016).

Local media and private forensic reports revealed that CPC Corp., Taiwan’s state-owned energy company was hit by an extensive ransomware attack. The firm later confirmed the attack in a statement on its website. The Formosa Petrochemical Corp (FPCC) also confirmed it had been affected by the attack. The attack resulted in petrol stations across the country being unable to accept payment by CPC VIP cards or electronic transaction apps.

With support from Europol and Eurojust, Polish and Swiss law enforcement authorities have taken down the InfinityBlack threat group. This group is known for distributing stolen user credentials, fraud, and creating and distributing malware and hacking tools. Five alleged members of the group were arrested. Loyalty programs have been increasingly targeted by hackers because they are perceived as easy but lucrative targets. Indeed, stealing password details for loyalty programs can also provide access to sensitive data such as credit card details. Retailers offering such programs are higher risk targets.

GoDaddy has informed some of its customers that an unauthorised party used the company's web hosting account credentials to connect to their accounts via SSH. The breach itself occurred in October 2019 but was only recently discovered. The company has not found any evidence that the attackers added or modified any files on the impacted accounts. Nevertheless, login information for the impacted accounts has been reset. Later in the week, another hosting provider, Digital Ocean, also announced a breach of its systems. 

 

Data breaches, fraud, and vulnerabilities

Data Breaches

ShinyHunters has been found selling data from seven additional companies bringing the threat actor’s breach total to 13 companies. ShinyHunters was first recognised for stealing and selling data from Tokopedia, the largest online store in Indonesia. Since then, the threat actor has also sold stolen data from Unacademy, Microsoft's private GitHub repository, Homechef, Chatbooks, and The Chronicle of Higher Education. ShinyHunters appears to be gaining traction, releasing data from multiple companies in a short period of time. 

The Ragnar operators have leaked data from Energias de Portugal on their darknet leaks site. This follows an initial attack in mid-April. Cyjax has obtained a copy of the data. Clients interested in further details about the contents of the files should contact us.

A database from mobile data app MobiFriends is available for free download on Raid Forums. It comprises 3,688,060 records, including usernames, MD5 hashed passwords, email addresses, dates of birth, genders, website activity and mobile numbers.

Infamous leaker, LabDookhtegan, has recently made available the last names of members of a new Iranian APT. The leaker refers to the group as “Members of the Ansar Unit Hacking and Security Group”. This group is believed to be responsible for attacking infrastructure, oil fields, airports, websites and other sectors. It has also been linked to the hacking unit responsible for the Shamoon wiper incident at Saudi Aramco.

The details of 44 million Pakistani mobile subscribers have been leaked online. The data is from a collection of 115 million Pakistani mobile user records which were being sold on the darknet in April for 200 Bitcoin (roughly $2.1 million). These leaked files contain both personally identifiable information (PII) and telephony-related information.

The personal details of 774,000 individuals in Australia's migration system have been exposed. The data was made publicly available via the Home Affairs Department's SkillsSelect platform, which looks for skilled workers who want to move or work in Australia. 774,326 unique user IDs and 189,426 completed expressions of interest, dating back to 2014, were exposed.

An anti-fascist group known as Distributed Denial of Secrets (DDoSecrets) has reportedly dumped over 9,800,000 searchable messages from neo-Nazi, QAnon, and other far-right Discord servers. The leak also includes over 100,000 messages from the ‘Trump's Republic’ group, and other servers named ‘14 Words’, ‘Nordic Frontier’, ‘Official /pol/’, ‘The German Reich’, 'The Based Club', 'Nazi Germany', and the 'Waffen-SS'.

Fraud

Multiple phishing campaigns are being used in credential harvesting attacks targeting Microsoft platforms during the coronavirus pandemic. Threat actors have created fake login pages designed to look like Outlook Web Access (OWA) and Office 365 to collect email addresses and passwords for these accounts. Sharepoint, Zoom, and WebEx are also being targeted. Over 50,000 phishing detections were identified between January and the end of April 2020. Users affected the most were in the USA, Germany, Canada, Taiwan, Japan, Australia, and Hong Kong.

A new phishing campaign targeting Office 365 credentials uses cloned imagery from automated Microsoft Teams notifications. The attacks are unique because the threat actors clone the Microsoft Teams alerts, instead of creating them from scratch using mismatched imagery. This gives the notifications a much more legitimate look.

The latest activity from the Magecart group has seen fake favicons used to host and load a JavaScript web skimmer onto compromised e-commerce portals. The skimmer then steals the customer’s credit card and personal information. The attackers registered a new website claiming to offer thousands of images and icons to download. All of the content on this site is loaded from a legitimate icon site, and benign images were posted on all of the site pages except for the checkout page.

Eleven new fake cryptocurrency wallets have been discovered on the Chrome Web Store attempting to steal crypto-wallet credentials. These add-ons masquerade as legitimate wallets for apps including KeyKeep, Jaxx, Ledger, and MetaMask. Some are still available to download, but at least eight have been taken down.

A new series of phishing attacks is using fake certificate error warnings to steal account credentials. Up to 5,000 Cisco Webex users have already been targeted. Users are asked to click on a hyperlink to log into their account. The phishing page mimics the real Cisco Webex sign-in page and asks the recipient to enter their credentials, which are then stolen and delivered to the attackers.

Vulnerabilities

We recommend updating the products listed below to the most recent version as soon as possible in line with your company’s product update schedule:

  • Stored credentials vulnerability in the Avira Free Antivirus software.
  • Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software
  • Oracle WebLogic Server remote code execution vulnerability (CVE-2020-2883) -currently being exploited in the wild
  • Two SQL injection vulnerabilities for Joomla! – no patch available
  • Citrix ShareFile storage system
  • Fazecast and SAE IT-systems ICS products
  • Extreme Networks products
  • Accusoft ImageGear
  • Multiple persistent vulnerabilities in the File Explorer app for iOS devices
  • Elementor Pro and Ultimate Addons for Elementor WordPress plugins. These flaws can allow hackers to execute arbitrary code and fully compromise targets.

LineageOS‌ Android custom operating system suffered a full outage after threat actors breached the main infrastructure of OS. The attackers exploited a high-severity vulnerability in the open-source “Salt” management framework to gain access to the system.

AusCERT has issued a security advisory for multiple vulnerabilities disclosed in the Android Security Bulletin May 2020. Successful exploitation of some of the vulnerabilities includes denial of service, privilege escalation, remote code execution, and information disclosure. The products affected include:

  • Android Open Source Project (AOSP) repository
  • Android 8.0, 8.1, 9, 10
  • Android Kernel Scheduler
  • PCAN-USB driver
  • Android Suite Daemon

 

APT Activity and Malware Campaigns

APT activity

A new cyber-espionage campaign has been launched against various APAC countries by a group tracked as Naikon APT. The operation has similarities to other Chinese APT campaigns, such as ViciousPanda: the campaign started in 2016 but activity increased significantly in 2020. The group deployed a new backdoor against several national governments, including Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar, and Brunei. Targeted entities include ministries of foreign affairs, science and technology, and government-owned companies.

A TransparentTribe campaign from September 2019 appears still to be targeting India. The exact objectives of the campaign are currently unknown. A malicious document purports to come from the Minister of Foreign Affairs of the Islamic Republic of Iran. The malware delivered in this campaign is believed to be Crimson RAT. TransparentTribe is a state-sponsored Pakistani cyberespionage group which has conducted various attacks targeting the Indian military, air force academy, and most recently, some financial institutions.

A new dropper has been linked to the North Korean APT known as Kimsuky. The malware code is signed with a Sectigo certificate connected to a company in the UK called ‘NJRSA Limited’. Gcow Security also recently analysed Kimsuky and Lazarus’ activities. Many of the Hangul Word Processor documents incorporated into both groups’ attacks exploit a vulnerability tracked as CVE-2017-8291.

Malware

Cyjax analysts revealed new activity from some of Emotet’s known Epoch 2 C&C servers. The samples reference various subjects including the US military’s Space Command, Moscow, President Trump, and William Bryan. Emotet is also now dropping adware, known as Graftor (also called LoadMoney). The Emotet botnet is showing signs of re-emerging from a weeks-long hiatus, presaging a significant increase in the global malware threat level.

The operators of the DoppelPaymer ransomware have encrypted and stolen data from three organisations:

  • ICM - International Commerce & Marketing Corp. The group has linked the company's website as postalproducts.com. This is the website for Postal Products Unlimited, one of multiple subsidiaries of ICM - International Commerce & Marketing Corp. It is unclear, therefore, which company the group has attacked.
  • Phipps Dickson Integria (PDI) Inc - a printing specialist company based in Canada.
  • Roger Martin - A French construction organisation.

Maze ransomware was used to encrypt and steal data from Sparboe Companies - a US-based provider of egg products. The malware operators uploaded the Sparboe data to their leak site on 7 May. They also attacked two cosmetic surgery practices in the last week.

Snake ransomware has returned: it was recently used in an attack against one of Europe’s largest hospital operators, Fresenius. Several other European and US organisations have been attacked by Snake. The ransomware first appeared in January 2020, but few new infections had been detected in the wild since then. Similar to many organised crime ransomware operators, Snake now claims to steal a victim organisation's data before encrypting computers on a network.

A unique version of the Nemty ransomware has been identified in a campaign targeting South Korea. The Vidar infostealer was also dropped. Three weeks ago, Nemty ransomware was reported as having shut down, after 10 months of operation. It was reported that the authors had used significant parts of Nemty’s code to create a new ransomware called Nefilim. This latest Nemty incident is, therefore, unexpected: to see it return as a ‘special edition’ is unusual.

An extensive new Cerberus Android mobile remote access tool (MRAT) campaign has been uncovered. Analysis of seven Cerberus MRAT samples showed that over 4,000 individuals were infected after downloading the fake APKs impersonated by the malware. Three new C&C domains used by the Cerberus MRATs were also discovered.

Analysis of REvil ransomware samples has uncovered changes to the code in REvil version 2.2. The ransomware-as-a-Service (Raas) has been active during the coronavirus pandemic. 

Darknet

The source code of the popular darknet market CannaHome has leaked online. Market source code leaking is not uncommon, indeed many darknet markets reuse same source code due shortage of developers. However, what makes this leak noteworthy is that it includes a database that allegedly contains vendors’ usernames, chats and order logs. Although much of this data is likely to be encrypted, the database also allegedly contains some users private PGP keys, so partial decryption may be possible.

Elsewhere on the darknet, Dread admin have shut down the subDread of the popular market BitBazaar. This came after allegations that BitBazaar’s admin were artificially inflating the number of posts to increase their markets visibility. This is not the first time BitBazaar has been accused of underhand tactics on the darknet. Previously, it was alleged the market’s admin were responsible for the DDoS attacks which plagued the darknet earlier this year. That the BitBazaar admin have again employed underhand tactics to increase their customer base illustrates their desperation to challenge Empire’s dominance.

 

COVID-19 Geopolitical Threats and Impacts

Americas

Low-cost US airline JetBlue will require all passengers to wear a face covering during travel from 4 May, as part of efforts to minimise the risk of coronavirus (COVID-19) transmission. Delta, American, Frontier, and United Airlines announced their own measures mandating the compulsory use of a face covering. The policies are likely to become standard across the US aviation sector and have begun to be adopted overseas, with Germany’s Lufthansa Group also announcing that its passengers will be required to wear a face covering from 4 May.

Delta Air Lines has also announced new limits on aircraft seating capacity in order to ensure social distancing between passengers. The announcement comes as countries across the world seek to resume economic activity while simultaneously containing the spread of COVID-19. Given the limited physical space on aircraft and airlines’ prior business models, ensuring social distancing on aircraft while maintaining accessible ticket prices is a significant challenge facing carriers across the world. Companies operating in the commercial aviation sector should monitor updates on airlines’ limits on capacity and assess the impact on operations, strategic and financial planning.

On 4 May, Venezuelan authorities said they had arrested two US citizens in connection with a failed seaborne incursion into the country. Venezuelan authorities said the two men had been working with Jordan Goudreau, a US military veteran and owner of Florida-based security company Silvercorp USA. Eight people are reported to have been killed and two arrested in the incursion, allegedly seeking to oust Maduro. Both Maduro and his main rival, Juan Guaidó, have sought to attribute the failed invasion to the other’s political cause. While Maduro has said that Guaidó organised the plot to oust him, Guaidó has accused Maduro of seeking to distract the population from other pressing problems, such as the coronavirus (COVID-19) pandemic and a recent deadly prison riot in the western state of Portuguesa which left more than 40 people dead. Given the involvement of two US citizens and the invasion’s alleged organisation from Florida, the official version of events is the more probable of the two. Companies with interests in Venezuela should continue to monitor developments related to fragile internal security and opposition to the Maduro government amid the pandemic.

On 3 May, the Peruvian government published a decree authorising the gradual resumption of mining, construction, and various other economic sectors whose activities had been halted amid the coronavirus (COVID-19) pandemic. Companies must adhere to strict health and sanitary policies, due to be set by local governments in the coming five days. Other sectors permitted to restart operations include industrial fishing and agriculture. The announcement is particularly significant for the country’s large mining sector – Peru is the world’s second largest producer of copper, and also produces large quantities of gold, silver, and zinc, among other metals. The move indicates that the government is confident that the spread of COVID-19 in Peru is coming under control, and that work in key economic sectors can resume with appropriate health and social-distancing practices.

On 5 May, a spokesperson for the UN human rights body, UNHCHR, warned that conditions in many prisons in the Americas region are ‘deeply worrying’ during the coronavirus (COVID-19) pandemic. Rupert Colville said that pre-existing conditions, including widespread overcrowding and unhygienic facilities, and inmates’ lack of access to healthcare had ‘enabled the rapid spread of COVID-19’ in many jails. Colville’s comments come amid reports of prison riots and inmates staging protests across Latin America during the pandemic; more than 50 inmates have died in Venezuela and Peru, alone. There is a moderate-to-high likelihood of further such riots in overcrowded facilities in Latin America while daily new cases of COVID-19 continue to rise. Companies with staff and assets in or near prison facilities should reassess security planning amid reports of multiple security incidents.

APAC

Political statements and reports over the past few days point towards an accelerating downward spiral in relations between China and the United States. On 4 May, a senior US security official appealed to the Chinese population to consider whether the ruling communist party governed the country in their or its own best interests. The same day the Reuters news agency published a summary of a report allegedly prepared in early April by the China Institutes of Contemporary International Relations, an influential think tank affiliated with the Ministry of State Security, China’s leading intelligence agency. The report is said to warn that anti-Chinese sentiment around the world is now at its highest level since the 1989 Tiananmen Square killings and that rising levels of animosity between the two countries could result in direct conflict.

US companies and individuals in China should prepare for a period of increased official surveillance and even hostility. Companies, for example, should assess how an orchestrated campaign employing nationalist and anti-American rhetoric may affect their staff and their business. This could include further reducing the number of US nationals where possible while protecting local staff deemed vulnerable to pressure. Other contingency plans should also be reassessed with corporate security advisors and embassy personnel.

China's Hong Kong and Macau Affairs (HKMA) office warned this week that the Beijing government would not tolerate what it termed the ‘political virus’ of violent protest in the territory while urging the local administration to ‘take real action’ against activists. There is no doubt Beijing has informed the Hong Kong government that there can be no return to the level and scale of violent protests the onset of COVID-19 effectively ended in late 2019 and early 2020. It is uncertain whether activists will adopt new and potentially more confrontational tactics as their mass base declines, but companies operating in Hong Kong should ensure their security and operational contingency planning reflects this possibility.

Indonesia’s President Joko Widodo ordered the government’s relevant ministries to prepare for food shortages due to a combination of drier than usual weather forecast in the coming months and the impact of the coronavirus (COVID-19) on planting schedules. Food shortages in any country are a potential source of social and political instability. The Indonesian authorities are aware of this and on Tuesday Agriculture Minister Syahrul Yasin Limpo said the government’s stockpile of key food products, including rice, is sufficient to meet nationwide demand until June. Foreign companies should follow in detail issues regarding food availability, including market prices of staples, in order to assess any potential threat of public disorder as well as sources of hardship among local staff.

Also in Indonesia, business and labour groups are preparing for what is set to be a potentially destabilising confrontation over the government’s so-called omnibus bill intended to improve Indonesia’s attraction to investors at what trades unions see as the loss of workers’ rights. Legislation intended to turn the bill into law has been delayed due to the coronavirus pandemic, giving both sides more time to argue their case. The pandemic has forced the closure of much of Indonesia’s manufacturing base, with no indication as to when production will be able to resume. The key textile sector warned on Thursday that more than 70 per cent of factories employing hundreds of thousands of workers face permanent closure; 80 per cent are already reported to have suspended operations and there appears to be no reason why the remainder should not follow suit in the coming few weeks. While the country is set to remain relatively stable for the remainder of Ramadan, there are concerns a combination of renewed labour activism and the social response to the pandemic will result in potentially violent unrest in the three-month outlook.

Europe

The French government will tighten restrictions on foreign investment amid heightened concern that the coronavirus (COVID-19) outbreak has left assets of strategic importance vulnerable to takeovers by non-EU entities. Meanwhile, Germany is changing foreign trade regulations requiring the government to be informed of purchases by non-EU countries of stakes of 10 per cent or more in key healthcare firms. This is representative of an accelerating EU-wide trend where governments have sought to enhance their powers, allowing more control over foreign investment. Italy has also taken steps to protect companies in sensitive sectors such as defence, healthcare, and technology from foreign investors. While protecting key assets amid a global crisis is seen as a legitimate motive, more political intrusion in private markets will harm investor confidence and likely impact foreign direct investment flows amid a looming economic recession.

France-based car manufacturer PSA Group, which consists of brands like Peugeot and Citroën, re-opened some of its sites between 4 and 11 May, with those in France re-starting production from 11 May. Strict health and security measures, including temperature checks, providing protective equipment for staff, and social distancing guidelines will be in place. Meanwhile, Romanian carmaker Dacia and the Ford Motor Company, which has a plant in Craiova, Romania, both resumed production on Monday after a temporary halt. This comes as a state of emergency in Romania was extended until 15 May. The resumption at more car manufacturing plants indicates that firms are confident that operations can run safely with additional health measures in place.

A series of arson attacks targeting mobile telephone infrastructure, banks, businesses premises, and government agencies in France have been blamed on far-left, anti-capitalist groups. The risk of further attacks will be heightened once mobility improves from 11 May, when travel restrictions will be gradually eased. For arsonists, phone masts are an easy target as they are usually set up in plain sight and with little security. Other high-risk locations include sites associated with global capitalism such as banks, offices of multinational companies, retail stores, and restaurants. Security managers should review existing security protocols, and consider allocating additional resources, including more guards and patrols as a deterrent, considering this risk.

The three Baltic states have reached an agreement to establish a common travel zone from 15 May, which will allow free movement for Estonian, Latvian, and Lithuanian citizens. Visitors arriving from outside the three countries will still be required to undergo a 14-day quarantine upon arrival. This represents the first common travel zone in the EU after countries across Europe shut their borders to tackle the spread of COVID-19. Countries in the Baltics quickly imposed widespread restrictions in the early stages of the outbreak and this agreement indicates confidence that COVID-19 has been effectively contained in the region as well as mutual trust in the strength of healthcare systems. Companies with staff based in the region should assess the decision’s impact on staff travel and planning.

The EU has pledged a ‘robust economic and investment plan’ for the Balkans region in addition to EUR3.3 billion in aid to help countries cope with coronavirus (COVID-19). A declaration during a video summit on 7 May also called on Balkans states to follow ‘EU foreign policy positions, notably on issues where major common interests are at stake’. The summit and pledge for further economic support to the region underscores elevated concern that China and Russia have sought to use COVID-19 as an opportunity to gain a stronger foothold in the Balkans. By reaffirming its commitment to eventually accepting all Balkan states as members, the EU is effectively seeking to counter Chinese and Russian influence. Growing attention and financial support for the Western Balkans is also reflective of the region’s increasing geopolitical importance.

MENA and Central Asia

Iranian President Hassan Rouhani threatened a ‘crushing response’ should the United States proceed with a plan to extend a United Nations arms embargo. The UN is set to lift the embargo on Iranian trade of conventional arms in October this year, as per the 2015 Joint Comprehensive Plan of Action (JCPOA, nuclear deal) between Tehran and world powers that saw Iran accept limits to its nuclear programme in return for the lifting of sanctions. Washington now says it wants to extend the embargo, part of its ‘maximum pressure’ campaign against Iran. This is especially so after Iran’s successful launch of a military satellite this month, which the US says is in violation of Security Council Resolution 2231, which formally endorsed the deal.

However, UN Security Council members Russia and China, which wield veto power and are still part of the nuclear deal, stand to win new arms contracts with Iran including the sale of aircraft, tanks and warships, and they have publicly rejected an extension of the ban. They will likely proceed with planned arms sales in contravention of any sanctions. For its part, Iran will probably continue its aggressive posture and rhetoric amid elevated tensions with the US, including directing pro-Iranian groups in Iraq to attack US military interests and harassing US ships in the Gulf.

The spokesperson for Turkey’s ruling Justice and Development Party (AKP), Ömer Çelik, recently stated that the country will begin reviving the economy in late May. The head of Turkey’s Council of Shopping Centres are also reportedly preparing to gradually re-open from 11 May while keeping social-distancing measures in place. Meanwhile, flag carrier Turkish Airlines extended its cancellation of flights to 28 May. The airline had previously planned to resume services on 20 May. The news suggests that the COVID-19 outbreak is slowing in Turkey, which had one of the fastest rates of infection in the world. Turkish health minister Fahrettin Koca said on 28 April that the country’s recovery figure is the highest since the first confirmed coronavirus case on 11 March. The government will need to carefully manage its planned reopening of the economy as it could lead to a surge in new cases and the re-imposition of restrictions. Such a scenario would probably further fuel anti-government sentiment and accusations by the opposition that the government is mismanaging the crisis.

Protests have continued to take place this week across Lebanon despite coronavirus (COVID-19) movement restrictions. Lebanon’s anti-government protest movement has gained fresh momentum amid the country’s ongoing financial crisis and worsening socio-economic conditions. The fact that protesters are taking to the streets in defiance of Lebanon’s COVID-19 movement restrictions highlights the desperate situation. The recent spate of protests have been dubbed the ‘hunger revolution’, highlighting the concern by the public over the ability to feed their families. On 30 April, Prime Minister Hassan Diab announced a new financial rescue plan which includes requesting financial assistance from the International Monetary Fund, although this has been rejected by many protesters who fear it will introduce austerity measures that will increase poverty. As hunger increases and people are no longer able to pay their bills, turnout in demonstrations will grow exponentially in the coming one- to two-month period, with an elevated likelihood for violence.

The Iraqi government announced on 4 May the launch of a new counter-Islamic State (IS) offensive called ‘Desert Lions’. The offensive aims to target sleeper cells in desert areas of the western Anbar province and areas along the Syrian border. There has been an uptick in IS-claimed attacks in Iraq, with incidents more than doubling in April compared to the first three months of the year. It is likely that the group is taking advantage of ongoing issues to project power and influence while simultaneously seeking to re-establish smuggling routes and funding mechanisms. Elevated security measures are likely in the aftermath of attacks and security operations, having the potential to cause travel delays.

At least 10 Egyptian soldiers were killed on 30 April in an IED attack in the village of Tuffaha, just south of Bir al-Abd in North Sinai. Islamic State-affiliate Sinai Province (IS-IP, or Wilayat Sinai) claimed responsibility for the attack. The next day, Cairo said its security forces had killed 126 militants in recent army operations in the Sinai Peninsula, with 18 killed on Saturday (2 May) during a raid against a militant hideout in Bir al-Abd. It is unclear if the suspects were involved in the earlier attack. Egypt’s armed forces are currently engaged in a counter-terrorism operation called ‘Sinai 2018’ that focuses on eliminating militants linked to IS-IP. Attacks periodically occur, highlighting the resiliency of militants in the area. Staff managers should monitor the situation and ensure strict journey management measures are in place in the event travel is required in North Sinai.

Kuwait authorities stated that that police had dispersed an overnight protest by foreign Egyptian workers on 4 May. The protest marked the first sign that the country’s large population of foreign workers, who do various jobs including domestic help, construction and white-collar work, is beginning to agitate due to the loss of livelihoods from the COVID-19 crisis. Protests in Kuwait are rare and tightly controlled, and the most recent unrest indicates growing unease at the situation that has the potential to escalate into additional instances of public disturbance. Managers should expect an elevated security presence following protests. Security forces are likely to respond to any rallies heavy-handedly including the use of tear gas.

Sub-Saharan Africa

The World Health Organization on 30 April expressed concern about the rate of community spread of the novel coronavirus (COVID-19) in West Africa. The statement lends credence to our recent assessment that the relatively low number of infections in the sub-region was mainly due to a lack of testing capacity rather than reflecting the actual extent of infections. Although the number of infections has been slow to increase, the rate of infections has increased in April, with several countries reaching their 1,000-infection mark this week. As the outbreak continues to accelerate in the region, governments will likely take increasingly erratic policy decisions to contain the spread, potentially by imposing new lockdowns in badly affected areas. However, the region’s porous borders make enforcing any border closures difficult, suggesting that containment measures will not be wholly effective.

Investigative news outlet amaBunghane warned on 4 May of growing risks of fake public tenders announced on the South African treasury’s Central Supplier Database (CSD). One company notified authorities after it had been contacted by a person congratulating it for winning a contract just 24 hours after formally responding to a request for quotation (RFQ). While the decentralised CSD ecosystem, spread across several government departments, presents several vulnerabilities to data breaches, officials have pointed to the lack of face-to-face interaction during the COVID-19 lockdown as the main contributor to the increased fraud risk. 

Sudan’s foreign ministry recently announced that the US had approved its appointed ambassador to Washington, Dr. Noureldin Sati – Sudan’s first ambassador to the US since 1993, when the state department added Sudan to its list of state sponsors of terrorism. However, neither the US state department nor the Sudanese authorities gave details about a timeframe for the veteran diplomat’s installation. The appointment and backing by the US is another indication of improving relations between the two countries as well as Sudan’s rapprochement with the West, which will be key for the country’s economic recovery and a stabilising factor for the transitional government, known as the Sovereign Council. The appointment will provide formal Sudanese representation in the US which is likely to facilitate trade and other bilateral political agreements and travel within the one-year outlook.